The PISA on the Supervisor Engine 32 PISA provides hardware acceleration of services such as network-based application recognition (NBAR) and flexible packet matching (FPM) at multigigabit speeds, in addition to the management and control plane functions traditionally provided by the multilayer switch feature card (MSFC). The Supervisor Engine 32 PISA is offered with the Policy Feature Card 3B (PFC3B), to ensure feature and performance compatibility with the Cisco Catalyst 6500 Supervisor Engine 32. Two uplink options are available: 8-port Gigabit Ethernet Small Form-Factor Pluggable (SFP)-based uplinks (Figure 1) and 2-port 10 Gigabit Ethernet XENPAK-based uplinks (Figure 2). In addition to these modular uplinks, the Supervisor Engine 32 PISA also includes one port of 10/100/1000 RJ-45 for ease of network management. All ports on the Supervisor Engine 32 PISA can be active at the same time.

• Deep Packet Inspection and Application Awareness: Support for hardware acceleration of intelligent services like NBAR and FPM at multigigabit speeds and inspection 4096 bytes into the packet. NBAR is a classification engine that can recognize a wide variety of applications, including Web-based applications and client/server applications that dynamically assign TCP or User Datagram Protocol (UDP) port numbers. After the application is recognized, the network can invoke specific services for that particular application. NBAR works with quality-of-service (QoS) features to help ensure that the network bandwidth is best used to fulfill the company's objectives. These features include the ability to guarantee bandwidth to critical applications, limit bandwidth to other applications, drop selective packets to avoid congestion, and mark packets appropriately so that the network and the service provider's network can provide QoS from end to end. FPM provides the means to inspect packets for characteristics of an attack, and to take appropriate actions (log, drop). FPM provides a flexible Layer 2 through Layer 7 stateless classification mechanism. The user can specify classification criteria based on any protocol and any field of the traffic's protocol stack. Based on the classification result, actions such as drop or log can be taken on the classified traffic.

• Programmable Architecture: The Supervisor Engine 32 PISA is based on an adaptable, programmable architecture that adjusts to grow with the dynamic needs of the network. As new techniques for network intrusion or application compromise are created, the programmable nature of the Supervisor Engine 32 PISA ensures that the network administrator has the ability to quickly react to the changing environment. Additionally, the architecture integrates a high-performance hardware-based AES encryption engine to potentially next-generation Layer 2 through 7 services requiring multigigabit encryption services in the future.

• Integrated security: The Supervisor Engine 32 PISA helps mitigate damage from denial-of-service (DoS) attacks using Control Plane Policing, hardware-based MAC learning, and user-based rate limiting. It limits threats from the Dynamic Host Configuration Protocol (DHCP) server, default gateway, or end-user IP address spoofing using features such as DHCP snooping, Dynamic Address Resolution Protocol inspection (DAI), and Unicast Reverse Path Forwarding (uRPF). The supervisor engine allows close control over which users can access the network and what privileges they are granted through identity-based networking with IEEE 802.1x and port-based security. These integrated security features are hardware-based so they can be enabled concurrently without compromising system performance as traffic levels increase. The intrusion detection services module, firewall services module, or the IPsec VPN SPA can be installed in the same chassis for maximum security.

• Enhanced manageability: Enhancements include support for the Embedded Event Manager (EEM), a powerful ally for device and system management, enabling network administrators to harness the network intelligence intrinsic to Cisco IOS® Software and customize the behavior based on real network events as they happen; support for ACE counters for identifying the frequency that specific access-control-list (ACL) entries are hit; support for hardware-based NetFlow, providing a metering base for a key set of applications, including network traffic accounting, usage-based network billing, network planning, as well as denial of service monitoring capabilities; and support for Encapsulated Remote SPAN (ERSPAN), Digital Optical Monitoring, and Generic Online Diagnostic functions to simplify operational complexity. These enhanced capabilities enable network administrators to respond quickly to user access problems and simplify network management.

• Superior traffic management: Uplinks are available with four transmit queues per port, with one strict priority queue for high-priority, low-latency traffic, and two receive queues per port. Each port supports Weighted Random Early Detection (WRED) for congestion avoidance within each queue, and Shaped Round Robin (SRR) as well as Deficit Weighted Round Robin (DWRR) for scheduling between queues to aid in traffic prioritization. Up to eight thresholds can be configured to manage differentiated levels of service.

The Supervisor Engine 32 PISA provides deep packet inspection, application awareness, high levels of security, availability, and manageability for enterprise LAN access deployments. Support for hardware-accelerated FPM and NBAR on the Supervisor Engine 32 PISA allows customers to move security and classification right to the edge of their networks, providing a comprehensive worm mitigation and application classification solution. Supervisor Engine 32 PISA is capable of accelerating services at 2Gbps for Internet mix (IMIX) traffic, which is optimal for standard campus access networks of typical enterprises using a pair of Gigabit Ethernet Small Form-Factor Pluggable (SFP) uplinks to each distribution layer switch. See Figure 3 for a deployment example.

Figure 3. Supervisor Engine 32 PISA Deployment Example in LAN Access

Enterprise WAN Edge, Internet Gateway and Service Provider Services

The Supervisor Engine 32 PISA is purpose built for enterprise WAN edge, Internet gateway, and Metro Ethernet deployments. The PISA on the Supervisor Engine 32 PISA provides hardware acceleration of intelligent services like NBAR and FPM to provide application classification and worm and virus mitigation at multigigabit speeds. Support for these intelligent services, coupled with the support for 256k routes and interface support from T1 to OC48 with shaping, makes the Supervisor Engine 32 PISA an ideal platform for WAN aggregation and Internet gateway deployments. Additionally, equipped with PFC3B, the Supervisor Engine 32 PISA ensures feature and performance compatibility with the Cisco Catalyst 6500 Supervisor Engine 32. It offers advanced hardware-accelerated IP services such as Multiprotocol Label Switching (MPLS), IPv6, Network Address Translation (NAT), generic routing encapsulation (GRE) tunneling, ACLs, rate limiting, and advanced QoS to enable network administrators to build feature-rich networks. (See Figure 4) The uplinks of the Supervisor Engine 32 PISA can also support SRR for rate limiting traffic.

Figure 4. Supervisor Engine 32 PISA Deployment Example in WAN Aggregation and as a Service Appliance

Service Appliance

The Cisco Catalyst 6504-E, together with the Supervisor Engine 32 PISA and up to three service modules, forms an ideal service appliance. High availability can be incorporated in this appliance by making use of a dual Supervisor Engine 32 PISA configuration. Hardware-accelerated services on the PISA, along with service modules like the firewall services module and intrusion detection services (IDS) module, can be deployed together as a security appliance. These advanced services can then be distributed in the network over the integrated eight-port Gigabit Ethernet uplinks or two-port 10 Gigabit Ethernet uplinks from the Supervisor Engine 32 PISA.

Features and Benefits

Table 1 lists the features and benefits of the Supervisor Engine 32 PISA.

Table 1. Features and Benefits of Supervisor Engine 32 PISA

Features

Benefits

Secure Application Fluency and Deep Packet Inspection

Network Based Application Recognition at Multigigabit Speeds

• Provides the ability to discover protocols and applications running on the network

802.1Q and L2PT are the service enablers to offer Layer 2 VPNs. By encapsulating subscribers' data frames in a service provider 802.1Q tag and by tunneling subscribers' PDU, 802.1Q tunneling offers Transparent LAN Services (TLS) to scale the number of Metro Ethernet subscribers beyond the 4096 VLAN boundary.

VLAN Translation increases the flexibility of single tagged 802.1Q service by decoupling subscribers' and service providers' VLAN IDs.

• IEEE 802.1D

• IEEE 802.1w

Protocols such as IEEE 802.1D, IEEE 802.1w, and IEEE 802.1s help ensure business continuity by minimizing the network convergence time for time-sensitive applications.

• IEEE 802.1s

• Flexlink

• Port Aggregation Protocol (PAgP)

• IEEE 802.3ad (LACP)

• Unidirectional Link Detection

Flexlink provides fast failover over point-to-point connections, without the overhead of control protocols.

Cisco Discovery Protocol and VTP ease the network and service configuration by detecting peer capability and by propagating the VLAN's information within the service provider network.

DDoS and Spoofing Protection, Intrusion Detection

• DHCP snooping

• Dynamic ARP inspection (DAI)

• CPU rate limiting

• Control Plane Policing

• Hardware enabled NetFlow

• User-based rate limiting

• Unicast Reverse Path Forwarding (uRPF)

• Hardware-based MAC learning

• Cisco Catalyst 6500 IDS and Firewall modules

• Broadcast and multicast suppression

• Port Security on Access, 802.1Q Trunks, and 802.1Q Tunneling ports

Provides local containment of security threats and protects networks against security vulnerabilities, including malicious and inadvertent intrusion.

Trust, Identity, and Data Confidentiality

• Identity-based networking services with IEEE 802.1x

• Network Admission Control

• IPsec support through IPsec SPA and SSC-400

Allows close control over which users can access the network and what privileges they are granted. Identifies posture (or compliance) of the device to help ensure the device can be safely admitted to the network without undue hazard.

Provides confidentiality and integrity for data, voice, and management traffic.

The Supervisor Engine 32 PISA provides the intelligent services of the Supervisor Engine 32 and at the same time provides hardware acceleration of services like NBAR and FPM. Additionally, it provides performance and price points suitable for the LAN access, WAN edge, and Metro Ethernet access (Table 7).

Table 7. Cisco Catalyst 6500 Series Supervisor Engine Comparison

Feature

Supervisor Engine 720

Supervisor Engine 32

Supervisor Engine 32 PISA

Uplinks

Two Gigabit Ethernet ports: one gigabit interface converter (GBIC) based and one configurable to GBIC based or 10/100/1000 RJ-45 based

Whether your company is a large organization, a commercial business, or a service provider, Cisco is committed to helping you maximize the return on your network investment. Cisco offers a portfolio of technical support services to help ensure that your Cisco products operate efficiently, remain highly available, and benefit from the most up-to-date system software.